Skip to content

Home

Jump to bottom Edit New page
Louis Roché edited this page Oct 15, 2015 · 11 revisions

Welcome to the Caml Crush wiki!

The wiki is to be provisioned with content that detail how to configure daemons and applications to isolate the sensitive cryptographic material from their memory space using PKCS#11 and Caml Crush.

Pre-requisite

Caml Crush is presumed installed on the server (either packaged or compiled), see doc.

We also assume, a software HSM is available on the system (be it SoftHSM, openCryptoKi, ...).

It will have to be operational (initialized) and provisioned with cryptographic material. For this purpose we recommend opkcs11-tool or OpenSC's pkcs11-tool.

Note on key usage segregation

Depending on the cipher suites that will be used by TLS, proper key usage segregation is not possible. When the RSA cipher suites are negotiated, a key with CKA_DECRYPT=TRUE attribute is used during the key exchange. When RSA PFS suites are used, the CKA_SIGN=TRUE attribute is used. When both types of suites are enabled, those attributes should be both set to TRUE, hence breaking key usage segregation. Therefore, it is necessary to relax some of the filtering rules to have a working setup.

If do_segregate_usage is enabled then the following rules should be commented out:

(**** Fixing PKCS#11 with patchset 1 *
See FILTER.md for a detailed explanation of patchset 1 and 2.
default ON;
*)
filter_actions_post = [ (".*",
(******** CryptokiX conflicting attributes patch addendum for existing objects *)
....
 (*   (C_DecryptInit, conflicting_attributes_patch_on_existing_objects), *)
 (*   (C_SignInit, conflicting_attributes_patch_on_existing_objects),    *)
 (*   (C_FindObjects, conflicting_attributes_patch_on_existing_objects), *)
...

The following rules should be modified to use dangerous_sensitive_keys_escrow_all:

(**** Fixing PKCS#11 with patchset 1 *
See FILTER.md for a detailed explanation of patchset 1 and 2.
default ON;
*)
filter_actions_post = [ (".*",
(******** CryptokiX conflicting attributes patch addendum for existing objects *)
....
    (C_DecryptInit, dangerous_sensitive_keys_escrow_all),
    (C_SignInit, dangerous_sensitive_keys_escrow_all),
    (C_FindObjects, dangerous_sensitive_keys_escrow_all),
...

Web Server scenarios

Other services

To Be Done

  • Web servers

    • Apache mod_gnutls

  • Other services

    • bind DNSSEC

  • OSS PKI

    • EJBCA
    • SignServer

  • Apps

    • apps linked with GnuTLS should mostly work using PKCS#11 URL
    • apps using OpenSSL engine with "engine_pkcs11" (stunnel, and others)
Add a custom footer
Add a custom sidebar
Clone this wiki locally